ARCHIVES AND RECORDS MANAGEMENT SERVICES (ARMS) Quality Improvement Framework for Archives and Records Management Services in Scotland

Transcription

1 Taking a closer look at... ARCHIVES AND RECORDS MANAGEMENT SERVICES (ARMS) Quality Improvement Framework for Archives and Records Management Services in Scotland

2 CONTENTS Introduction 4 What is ARMS? 6 Archives and Records Management Core Outcomes 7 Self-Evaluation 9 The Quality Indicators and Illustrations QI 1: Create and Manage Trustworthy Records 14 QI 2: Protect Rights and Interests 23 QI 3: Make Sure Our Records and Archives Survive as Long as Required 30 QI 4: Help People Find and Use Our Records and Archives 39 QI 5: Work With Our Community 48 QI 6: Leadership and Management 55 QI 7: Ethos and Values 60 Appendices 1: Mapping of ARMS to Scottish National Outcomes 65 2: Mapping ARMS to How Good is Our Culture and Sport (HGIOCS) 67 3.Mapping ARMS to National Records of Scotland Model Records Management Plan 69 4: About the Scottish Council on Archives Glossary of Terms Contact 74 2

3 Copyright 2012 Scottish Council on Archives COPYRIGHT NOTICE The ARMS toolkit has been developed to assist records management improvement in Scottish public authorities. Any such public authority may use all or any part of the toolkit for the purpose of improving both its archives and records management services or either one of those services provided that it has registered with Quality Scotland and paid the applicable licence fee as stated at the time of registration. Other bodies wishing to use all or any part of the ARMS toolkit for any purpose must write to: Scottish Council on Archives General Register House 2 Princes Street Edinburgh EH1 3YY contact@scottisharchives.org.uk The communication should indicate the intended use of the toolkit. 3

4 INTRODUCTION 1. Why is ARMS Important? Information is a valuable business asset. The Archives and Records Management Services (ARMS) Framework addresses issues of self-evaluation and quality across the whole spectrum of recordkeeping and archives. That is why the Framework has been endorsed by: The Scottish Information Commissioner The Keeper of the Records of Scotland Quality Scotland 2. Contributing in Three Important Areas The Framework contributes to three areas of information-related activity that are of concern to organisations delivering public services: (a) Legislation Information is so important to our society, our governance and our economy that access is subject to such legislation as the Data Protection Act 1998, the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004 However, legislation on access can only be as good as the records management regimes operating in the public sector. The Scottish Parliament recognised that reality by passing the Public Records (Scotland) Act 2011 The Act places on the Keeper of the Records of Scotland a responsibility to produce a Model Records Management Plan and other guidance that will assist organisations in their efforts to improve records management practices. The Keeper regards the ARMS Framework as a practical tool that can help organisations make such improvements. (b) Efficiency Any organisation wants to be more efficient. As a core activity archives and records management services support all parts of the business and can help deliver greater efficiency. Of course, those services must also measure their own effectiveness, demonstrate continual improvement and, most importantly, be able to show that their actions have a positive impact. A valuable asset should expect nothing less. Improving consistency and transparency of quality and performance measurement across archives and records management in Scotland will: support recordkeeping professionals in self-assessment of their services and in driving continual improvement assist in cross-sectoral comparison guide funding providers in proposing standards for and measuring the impact of their investment empower service users in holding recordkeeping professionals and/or employing organisations to account for the quality of archives and records management services 4

5 provide a model for assessing the cost-effectiveness of service provision in the sector improve the evidence base for developing the archives and records sector (c) The National Picture The National Performance Framework (revised December 2011) sets out clearly the National Outcomes expected by the Scottish Government. While archives and records management services can contribute to several of them, one is of direct interest, namely, Our public services are high quality, continually improving, efficient and responsive to local people s needs. The ARMS Framework is the statement of outcomes and performance indicators by which the archives and records management sector: defines its own business strives to deliver improved services on behalf of its employing organisation and its customers seeks to contribute to the National Outcomes 5

6 WHAT IS ARMS? 1. Flexible Tool The ARMS framework outlines key outcomes and performance indicators for archives and records management services. It has a clear message efficiency is best served by drawing together scarce resources and expertise into a single integrated archives and records management service. Where such integration is impractical, nonetheless in-house expertise should be harnessed to the full. This can be especially important when settling the terms of reference for a consultancy or when working with a consultant. However, ARMS is not prescriptive. It is designed to be a flexible tool that meets the varied needs and on the ground realities of services that exist in many sizes and models: Those operating as standalone archives and/or records management services can choose the performance indicators best suited to their services. Some tailoring of performance indicators may be required for non-integrated archives and records management services. The Framework also applies regardless of size, though again some tailoring of its application may be required to address the needs of smaller services. 2. Who Should Use ARMS? This Framework is especially important in the context of the Public Records (Scotland) Act 2011 It assists in securing the necessary improvements in records management and in maintaining and building on those improvements. This Framework is relevant in particular to: managers with responsibility for archives and records management services and to the heads of such services staff involved in the ARMS self-evaluation process quality improvement officers and others who may be assessing the Archives and Records Management Service in an organisation 6

7 ARCHIVES AND RECORDS MANAGEMENT CORE OUTCOMES ARMS has identified 4 Core Outcomes for archives and records services: 1. Help people trust organisations (accountability) 2. Select and make our individual and community 1 stories accessible (access) 3. Support efficient delivery of services 4. Management and governance As the use of the term Core Outcomes indicates, these are the high level results that make a significant difference in terms of the service itself and the impact of what it does on its users. Quality Indicators (QIs) To assess how well archives and records management services are delivering on these outcomes, 7 key Quality Indicators have been identified: QI 1: Create and manage trustworthy records QI 2: Protect rights and interests QI 3: Make sure our records and archives survive as long as they are required QI 4: Help people find and use our records and archives QI 5: Work with our community QI 6: Leadership and management QI 7: Ethos and values The 7 QIs together add up to a comprehensive picture across the full range of archives and records management services. In reality they should be regarded as a menu offering the opportunity to focus on particular aspects of the services provided. There will usually be sufficient resources essentially staff time to concentrate on just one QI at a time or, at best, two. However, the size, resources available and immediate needs of an organisation may dictate that only the most pertinent elements of a single QI are tackled at a particular time. Prioritisation is important and should be clearly based on what is of most immediate importance to the service at the time. If a complete picture is the ultimate goal, it must be recognised that it will take time to achieve it. 1 This document uses community to describe groups of both internal and external stakeholders. A definition of stakeholders being a person, group, or organisation that has direct or indirect stake in an organisation because it can affect or be affected by the organisation's actions, objectives, and policies. 7

8 Choosing a particular QI does not result in loss of flexibility. ARMS is not a box ticking exercise. At an early stage, the content of the QI i.e., the questions and the associated prompts should be examined to determine their relevance (or otherwise). That sifting will ensure that there is no attempt to associate inappropriate responses and evidence with questions that should have been set aside at the start of the exercise. This flexibility is especially important for small services that might otherwise regard the ARMS Framework as not for them. Each QI has been mapped to the core outcomes, thus providing a method of assessing how well overall outcomes are being achieved: SELF-EVALUATION? 2 1. What is self-evaluation about? Self-evaluation provides an Archives and Records Management Service whatever its makeup with the opportunity to take the time out to look at itself: how it operates, how it delivers its services and how it might improve in identified areas of most immediate importance. 2 This section has been modified from Part 1: What is self evaluation for improvement about How Good is Our Culture and Sport. HM Inspectorate of Education. Draft April

9 2. What is self-evaluation about? Self-evaluation provides an Archives and Records Management Service whatever its makeup with the opportunity to take the time out to look at itself: how it operates, how it delivers its services and how it might improve in identified areas of most immediate importance. Self-evaluation is concerned with: being forward looking celebrating success and achievement change and improvement, and well-considered innovation in service delivery and activities Looking at the quality of services delivered provides opportunities for: staff reflection and dialogue both effective support and healthy challenge (neither timidity nor point scoring are helpful) identifying what will result in clear benefits/outcomes for both the service itself and the communities served Self-evaluation is not a single or periodic event. It is an ongoing process driven by a culture wedded to maintaining and enhancing the impact of quality of service on the communities served. It is a well-focused means to an end, rather than an end in itself. 3. Ongoing Process Self-evaluation should be structured around three key questions: How are we doing? Services need to assess the impact of their work with individuals and with communities in order to know those services are: - appropriate, i.e., based on community need - high quality, and in line with best practice - in need of review and improvement - improved by change and adaptation The QIs can be used to form an initial high level view of quality and performance across the services provided. Broad strengths and weaknesses can be identified by using evidence gathered in day-to-day work and service delivery. This approach makes an immediate evaluation of areas of major strength or those requiring more attention. 9

10 How do we know? The QIs provide broad themes on which to build the gathering of evidence. Self-evaluation is evidence-based: collection and then review of the evidence for outcomes and impacts. The service undertaking self-evaluation must identify how it knows and, more importantly, can demonstrate that it is performing well. Judgments are made strictly on the basis of evidence. Suggestions they are no more as to possible evidence are included against the evaluation questions. Individual services may find a range of other evidence that supports robust assessment. Range of evidence evidence underpins self-evaluation processes by demonstrating proof of activity and, even more importantly, impact. It can help to establish how well the service meets users needs. Evidence can be qualitative or quantitative: - quantitative evidence - what can be measured, e.g., the number of FOI requests received - qualitative evidence - draws out the value users put on services, and this is often unstructured in format, e.g., feedback from users How to gather evidence evidence can be gathered by assessing key sources such as: - performance data - relevant documentation - consulting users, non-users and staff - direct observation of practice These sources of evidence are complimentary. No single source can on its own supply evidence for robust evaluation. Yet, it is important to avoid unnecessary duplication in the evidence collected. If several pieces of evidence are illustrating the same point, it is advisable to select the best example. The principle of triangulation is widely used to test evidence: scrutiny of one evidence source backed up by another and corroborated by at least a third line of enquiry. Thus: Performance data: e.g., statistical data relating to service provision Relevant documentation: e.g., strategic plans and policies supporting service delivery Users, non-user and staff views: Views can be gathered systematically when individuals are accessing and using the service. The same systematic approach should be used for non-users. Organisations should have in place user surveys, i.e., questionnaires and/or focus groups. Unless information is gathered from users, non-users and staff, it would be difficult to understand the impact of the services. Indeed, absence of such information would make it almost impossible to have any degree of confidence in the outcomes of self-evaluation Direct observation: This involves visiting activities and observing first-hand the inputs of staff/volunteers and the outcomes for users. It also involves looking at the delivery models, methodology and resources as well as individual motivation and performance 10

11 What are we going to do now? As services progress through the self-evaluation process, strengths in provision and areas for improvement will be identified: - Strengths in provision need to be celebrated, maintained and continuously reviewed - Areas for improvement require discussion and analysis Self-evaluation provides a strong basis for the planning of those actions that will result in service improvement. The action plan should be documented and implemented. It is important that it feed into a continuous cycle of review and improvement, i.e., self-evaluation is definitely not a one-off exercise. 4. Levels of Effectiveness 3 On the basis of evidence gathered during self-evaluation, the particular aspects of performance or practice chosen should be deemed to fall within one of 5 levels of effectiveness, from excellent to unsatisfactory. The levels of effectiveness must be seen within the context of resources available to a service. The process is not judgmental but rather is about improvement. It is important to balance a firm commitment to improvement with an equally firm focus on the realities of limited resources. Improvement plans must be stretching. However, they must not be so unrealistic as to be undeliverable and therefore doomed to failure. Level 5: Excellent - clearly excellent or outstanding - very best practice worth disseminating beyond the service - individuals experiences and achievements of a very high quality - very high levels of performance that are sustainable Level 4: Very Good - major strengths - high but achievable standard of provision - very few weaknesses if any that do not diminish individuals experience - services seize opportunities to improve and strive towards raising performance to excellent Level 3: Good - provision with important strengths that have positive impact 3 The levels of effectiveness have been adopted from the Building on Success: A Public Library Quality Improvement Matrix for Scotland, Scottish Library and Information Council, March These are compatible with the levels of excellence adopted in HGIOCS 11

12 - areas requiring improvement in some way diminish the quality of individuals experiences - services seek to improve further areas of important strength while taking action to address some areas for improvement Level 2: Adequate - provision where strengths just outweigh weaknesses - individuals have access to basic level of provision - strengths have positive impact on individuals experiences - weaknesses do not have substantially adverse impact, but do constrain quality of the individuals experiences - services seek to address areas of weakness, while building on strengths Level 1: Unsatisfactory - major weaknesses in provision that impact negatively and significantly on the quality of individuals experiences - the weaknesses will require immediate remedial action that is structured and planned - improvement requires strategic action and support from senior managers - it may involve work alongside other staff or agencies in or beyond the organisation 5. ARMS and the future (a) A Changing Framework The ARMS Framework has been designed to be a flexible tool. That flexibility extends to its adaptation and evolution as the pool of experience grows. As more archives and records management services in the public sector opt to use the tool, their insights will help it to evolve and to meet the challenges of tomorrow. The Feedback and Contact page within the online tool is there to allow users to both seek assistance and submit feedback. Users are encouraged to use this facility to help shape and improve the tool. (b) The Future The maintenance and further development of ARMS will require commitment not only from the sponsor of the Framework the Scottish Council on Archives but also, and more importantly, from those who use the tool and are in a position to share their experience and insights. ARMS will achieve maximum effectiveness only if: it is shown to be evidence-based and robust it results in benefits for the individual services that use it it creates a community of users who, having gone through the process, see the benefit of mutual support and co-operation 12

13 it inspires users to sign up for an SCA-supported validation team that examines and tests the evidence put forward by a service and that reports on it it has an impact that helps to produce the step change needed to deliver improved archives and records management services, business improvement in participating organisations and a significant contribution to the National Outcomes 13

14 THE QUALITY INDICATORS AND ILLUSTRATIONS Quality Indicator 1: Create and Manage Trustworthy Records Outcome: This indicator contributes to: Outcome 1: Help people trust organisations (accountability) and Outcome 3: Support efficient delivery of services Themes: This indicator is concerned with the following themes: Archives and Records Management policies and procedures defining responsibilities ensuring business is documented appropriately creating reliable and trustworthy records managing records in reliable and routinely used systems ensuring that records can be produced on demand enabling scrutiny of decisions and actions accounting for records that cannot be presented on request Description: Reliable and trustworthy records are integral to any organisation's activities, processes and systems. They underpin business efficiency, accountability, risk management and business continuity. They also enable organisations to capitalise on the value of their information resources as business, commercial and knowledge assets and to contribute to the preservation of collective memory, responding to the challenges of the global and digital economy. Capturing and managing trustworthy records is the primary enabler of access to recorded information over time. Archives and Records Management Services should take a planned and systematic approach to defining, implementing and monitoring the creation and management 14

15 of records within their organisation, including adherence to published standards - e.g., ISO and benchmarking activities against peer organisations. Systems (manual and automated) that support the management of records should be relied upon by the organisation and routinely used in conducting business. Records should be persistently linked to the business being undertaken and presented when requested in forms that enable the story of the related events to be clearly told. Archives and Records Management Services should: Have a clearly articulated set of recordkeeping policies which identify responsibilities for records creation, capture and management and which are implemented, and reviewed on a regular basis Ensure recordkeeping responsibilities are known, documented and monitored for compliance Establish a formal corporate records system that is are regularly reviewed and monitored for use and compliance with rules Analyse business processes to identify recordkeeping requirements and ensure that records arising from business transactions are routinely captured into a system Manage recordkeeping processes in accordance with industry standards Present records to enquirers as chains of transactions which enable them to be interpreted in the context of the business functions and activities that created them Be able to explain the absence of records Questions to ask Why is this important? Evidence Possible evidence Strengths Areas for improvement What impact does the recordkeeping policy have on the organisation? A comprehensive recordkeeping policy, covering all records and archives of the organisation, provides authority to a recordkeeping programme for its ongoing work. A recordkeeping policy might include a number of more specific subsidiary policies to enable comprehensive Frequency of update or review of recordkeeping policy Referenced in other information-related policies 15

16 coverage of all records-related policy matters. A recordkeeping policy effectively linked to related policies (such as information management, information security, information storage, , donations, access to information and records, compliance requirements etc) assists in embedding good, consistent recordkeeping throughout the organisation. It minimises the risk of creating a records silo unconnected to other organisational priorities and policies. References other information-related policies Cited as an authoritative statement by members of the organisation Used in specific cases as authority for action, or as a reference point How well do staff understand and comply with their recordkeeping responsibilities? Responsibility for creating and capturing records of business is the responsibility of all staff performing organisational business. However, this needs to be accepted by all staff who also need incentives to comply with these requirements. They also need appropriate training and support to enable them to meet their responsibilities. Recordkeeping responsibilities incorporated into individual job statements Recordkeeping responsibilities included in individual performance reviews/measures Recordkeeping training included in induction training Ongoing recordkeeping training/refresher training 16

17 regularly available How effective is the corporate records system? The corporate records system provides the rules, technologies, and resources to support organisational recordkeeping. It may encompass multiple application systems, including EDRMS, business systems and archives control systems. To have an impact on the organisation, and to enable the creation of trustworthy records, supported over time, the system must be implemented, routinely used and monitored. A defence against challenge to trustworthy records is that the system was routinely used in the course of business. Number of approved records applications in use Information audit/records inventory Number of personal, nonofficial or non-compliant systems known about, unconnected to the corporate records system Assistance provided to specific parts of the organisation with recordkeeping issues Statistics on: number of records created quantity of electronic records under control/not under control number of application system users to potential users use of the approved classification scheme successful retrievals 17

18 from the system number of trained users unauthorised access attempts How comprehensively analysed is the business of the organisation to identify recordkeeping requirements? Identifying recordkeeping requirements in work processes enables identification of the records of the processes that need to be captured and managed. This analysis can contribute to development of business classification schemes or to the implementation of process automation. Records may be captured into a variety of corporate records application systems including EDRMS (electronic document and records management systems), ECM (electronic content management systems), business systems or designated network shared drives. Analysis for recordkeeping requirements, conducted in conjunction with business owners, enables certainty that the appropriate records, in appropriate forms are being captured by the organisation. Significant participation in analysis for automation Instances of cooperation with business owners to identify recordkeeping requirements in their processes Significant participation in information management planning for the organisation or for particular business processes Significant participation in information architecture initiatives How well does the Recordkeeping standards form an Formal adoption of the 18

19 organisation meet the requirements in recordkeeping standards? important benchmarking tool by which to measure performance of recordkeeping processes. Industry standards include BS ISO (Records Management) and more specific guidance established for Scotland s government agencies by the National Records of Scotland. High level statements of core recordkeeping processes are outlined in standards and include: determining what records to create; capture and registration; classification and indexing; appraisal and disposal; and storage and preservation. appropriate standards by the organisation Internal audit reports reporting on recordkeeping Results of internal recordkeeping performance audits Reports to external agencies about recordkeeping performance or compliance, e.g., Scottish Council on Archives, National Records of Scotland and Scottish Information Commissioner How well does the organisation present records in context? Records presented in response to an internal or external query need to be presented and interpreted in the context of the business being undertaken when they were created. Without this context records are open to mis-interpretation and can be misleading. Records can be put in context by presenting chains of transactions linked together physically, e.g., on a Explanatory information available on records systems to users Use of relationships to link records Providing search and enquiry systems that provide context to users Availability of 19

20 file or electronically (previous/subsequent documents). Details of business being conducted at the time of the record s creation can be provided by the classification of the record, in subsequently developed finding aids or by knowledgeable staff. knowledgeable staff Levels of staff assistance required to identify relevant records Number of additional finding aids to interpret context In what ways does the organisation account for the absence of records? The absence of records about a process can be a result of never creating them, losing them, passing them to another organisation or destroying them. Not being able to produce records when required, without adequate explanation, undermines the credibility of the organisation and its trustworthiness. Business analysis documents recordkeeping requirements Formal retention and disposal authorities are in place Explicit authorisation exists for all records destroyed Routine processes to destroy time-expired records are in place Records systems can provide details of any authorised acts of disposal (including destruction, transfer, loss) Outcomes of FOI requests where record not 20

21 produced Documentation is up to date for all transfers of records between organisations or parts of organisations LEVEL 5 Illustration (Level 5 = very good) Exemplar Organisation has an integrated Archives and Records Management Service. It has been operational in its current form for over 5 years. During that time, an Archives and Records Management Policy has been approved by the Board. This sets out the broad objectives of the records management programme within the organisation. It clearly identifies responsibilities for records, including the broad responsibility for all staff to create and capture records of their business processes. It sets out all the statutory requirements relevant to recordkeeping that Exemplar is required to comply with. A set of subsidiary policies have been approved to cover specific aspects such as access to records, disposal and classification. The records policy is referenced in other organisational policies, such as information security and risk management. Each policy has a clearly identified review date. Exemplar has purchased and deployed an EDRMS This has been rolled out to the whole organisation, and is used to manage electronic documents and . All staff are trained on their recordkeeping responsibilities and use of the EDRMS during induction and through refresher courses regularly run by ARMS. Compliance with the recordkeeping policy is included in the job statements of staff as a performance measure. Senior management have endorsed the EDRMS as the corporate records system. The ARMS staff monitor the use and operation of the EDRMS. A policy of routine checking of new records added to the system is undertaken to ensure that they are appropriately titled and classified, thus enabling the automatic inheritance of access and security controls and disposal periods. Monthly reports are run against new records added to the system, thus enabling regular reporting to both senior management on use and compliance with the system rules and to sections that are failing to meet performance expectations. Sessions are scheduled with specific parts of the organisation to discuss and address perceived problems. ARMS staff are included in information management and technology planning meetings, thus ensuring they know when new business systems are being proposed. Approaches are then routinely made to the business units involved in designing functional specifications for the new systems. ARMS staff seek to be included in establishing requirements for capturing records in all proposed new systems. Sometimes this results in records being maintained in business systems, and sometimes proposals for interfaces with the EDRMS are proposed. Resourcing and priorities of Exemplar then determine how well the recordkeeping requirements are met. This is an ongoing challenge, but ARMS are actively involved. 21

22 ARMS staff benchmark their performance against the industry standard BS ISO As a result of close cooperation with the Internal Audit department, the internal auditors now ask recordkeeping questions derived from the Standard so that they can report on recordkeeping during their routine audits. All staff of Exemplar have access to the EDRMS, which, within the framework of access and security permissions, allows records to be presented in structured sequences to user queries. All staff are made aware of the prohibition on destroying records during their induction and refresher records training. All destruction of records is done through ARMS, which regularly applies approved disposal authorities. Explicit permissions to destroy are obtained by the owning business unit. Metadata about the records destroyed is retained in the EDRMS with additional details noting the date of destruction and the authority used. 22

23 Quality Indicator 2: Protect Rights and Interests Outcome: This indicator contributes to: Outcome 1: Help people trust organisations (accountability) and Outcome 3: Support efficient delivery of services Themes: This indicator is concerned with the following themes: Supporting compliance requirements with appropriate evidence Protecting individual and organisational rights and responsibilities Supporting the organisation in litigation Protecting personal privacy and data protection Description: Records and archives provide evidence of business activity. Business activity is regulated, where necessary, by legislative requirements, standards and codes of conduct. Records are essential evidence of compliance with such external requirements. Non-compliance may have results that affects business viability (e.g., licences revoked, or accreditation required for funding not granted) or in public embarrassment for the organisation (e.g., bad publicity in the media or being named in parliament). Such instances undermine public trust and confidence in organisations. Good recordkeeping contributes to ensuring public trust is secured and maintained. Similarly, records are evidence of action that can be used to protect the rights, entitlements and interests of organisations and individuals (both within the organisation, and those that interact with it). Records are critical in both proving and defending legal claims brought against individuals and organisations. Being able to rely on trustworthy records in instances of litigation or other dispute is a core recordkeeping requirement for organisations. Individuals often voluntarily provide personal details to organisations to obtain services or products. The details provided are sensitive and given to enable a specific authorized action. Protecting these personal details from inappropriate or unauthorized re-use, access by third parties or access to details beyond what is required for the transaction are socially sensitive matters constrained by data protection legislation and privacy 23

24 protection best principles. Individuals have a right to access records about themselves to ensure that the details held about them are correct and to seek correction where there is a dispute. Archives and Records Management Services should: Know the compliance requirements for their organisation and identify the recordkeeping requirements to support compliance Know what records the organisation keeps Be able to produce records requested for legal processes Respect and protect personal data provided to the organisation Ensure the organisation provides authorised access to personal data Have mechanisms to support correction of personal data where necessary Questions to ask Why is this important? Evidence Possible evidence Strengths Areas for improvement How well identified and followed are the recordkeeping requirements in legislation, standards, codes and other relevant compliance documents? Records provide evidence that compliance requirements are being followed appropriately. Such records will be needed by the organisation when sought by external investigators (auditors, reporting agencies, etc). In cases where compliance requirements are not followed, an organisation needs to manage risks associated with non-compliance. All legislation, standards, codes and other relevant compliance documents are identified by the organisation Identification of recordkeeping requirements exists for all applicable compliance documents Business owners and also staff in relevant business units know the recordkeeping requirements of 24

25 Questions to ask Why is this important? Evidence Possible evidence Strengths Areas for improvement compliance Risks of recordkeeping noncompliance are documented and accepted by the organisation How does the organisation know what records it has? Knowing what records and information an organisation holds is a protection against unexpected results in discovery exercises. It also provides a basis for measuring the introduction and operation of good recordkeeping practice (see Quality Indicator 1). Results of regular information audit, knowledge audit or records inventory Statistics and analysis of use of automated systems supporting recordkeeping How does organisational recordkeeping support legal processes? The existence of records can prove or disprove statements. Wherever possible, records should be managed in ways that support the risk profile of the organisation. Procedure to support gathering and production of organisational records as a result of legal requests. Able to explain and justify the absence of expected records Producing the right records causes settlement of legal case 25

26 Questions to ask Why is this important? Evidence Possible evidence Strengths Areas for improvement Absence of right records causes legal settlement Compliance with time restrictions on court orders to produce records Compliance with time restrictions on information production (e.g., FOI requests) How effectively does the organisation protect personal data? Protecting personal and sensitive information from unauthorised release or re-use contributes to the trustworthiness of the organisation. Knowing what information is held in which business processes that require additional protections assists in developing and applying mechanisms to protect personal and sensitive data. Staff training ensures that organisational awareness of the issues is high. Routine monitoring of access and security breaches enables identification of potential problem areas requiring attention. Organisational guidelines and procedures in place for Data Protection and Freedom of Information Business processes and records that manage sensitive or personal information identified Staff trained in personal data protection Additional systemic protections for personal data in place Monitoring of access 26

27 Questions to ask Why is this important? Evidence Possible evidence Strengths Areas for improvement breaches Complaints about data protection How well does the organisation provide authorised access to personal data and other records? Legislative rights and best practice information management enable individuals access to data about them held by others. Similarly for government organisations a public right to access records exists under Freedom of Information legislation. How well the organisation manages its obligations to both protect and allow authorised access to personal information contributes to the trustworthiness of the organisation in the eyes of the public. A range of written assistance is available to individuals seeking access to data about themselves held by the organisation Knowledgeable staff available to assist enquirers Organisational support available to enquirers Statistics on FOI and Data Protection requests: Number processed Number successful Number appealed How well do organisational systems support correcting of personal details? Organisations have an obligation to comply with legislation enabling correction of personal details, or a requirement to support best practice in this area. How well, how easily and availability of Procedures outlining methods of correcting personal details in records Records application systems support annotation 27

28 Questions to ask Why is this important? Evidence Possible evidence Strengths Areas for improvement mechanisms supporting individuals correcting personal data contribute to public trust in the organisation. or other mechanisms to manage corrections to personal details Archives documentation systems support public tagging LEVEL 5 illustration (Level 5=very good) Exemplar organisation works in the highly regulated community care sector. Its records contain significant quantities of personal information about clients in residential and other programmes. Exemplar is accredited by NHS Scotland for various aspects of its operations. ARMS has worked with the Corporate Secretary to identify all recordkeeping requirements in the legislation, codes and accreditation requirements that Exemplar requires to follow. These have been listed and assigned to specific responsible business units. ARMS staff work with business owners to ensure that the records that they are required to create, maintain and make accessible are identified and managed within authorised Exemplar systems. The Information Compliance Officer is one of the team members in ARMS. Regular communication in staff communications keep all staff aware of their obligations in managing personal information and of the need for care and sensitivity in recording personal comments. All requests for information by ex-clients or queries from third parties to recent Exemplar records are filtered through the Information Compliance Officer, who coordinates the organisational response via the relevant business units. This work is done in conjunction with the Exemplar Archivist who often knows the history of the particular service and the likely location of records as well as the responsibilities and details of the workings of the older records systems While records sought by individuals cannot always be provided, where possible the Archivist and Information Compliance Officer conduct in person feedback to the requester for personal information. They also have access to social workers who provide counselling where personal distress might arise from the information contained in the records about the requestor or close relatives. Follow up is routinely undertaken on all personal information requests after 3 months to check on service satisfaction and that the information was appropriately explained and understood. 28

29 Exemplar has been involved in legal disputes over the quality of care and other aspects of its services. ARMS staff have worked with the Legal Department to identify records relevant to the case. The Archivist has worked with these requests to identify where relevant records might be located, following various sales and amalgamations of companies comprising Exemplar. Routine procedures exist to copy and/or transmit scanned images to external legal advisors. 29

30 Quality Indicator 3: Make Sure Our Records and Archives Survive as Long as Required Outcome: This indicator contributes to: Outcome 1: Help people trust organisations (accountability) Outcome 2: Select and make our community stories accessible; and Outcome 3: Support efficient delivery of services Themes: This indicator is concerned with the following themes: Appraisal practices Collecting scope Cultural inclusion Appropriate records and archives storage Preservation Digital sustainability Business continuity and emergency planning Sustainable records and archives systems Description: Not all records need to be retained for long periods. Determining the records that should be destroyed is the highly accountable process of appraisal, which results in formal documentation of decisions and, where appropriate, external authorization. Where destruction of records is authorized, this must be done in ways that respect the sensitivity of the records and ensure they cannot be recovered. Some Archives and Records Management Services actively collect records of other organisations to document particular aspects of Scottish society and culture. Such Services should ensure that they have defined, agreed and resourced scope for their collections and employ mechanisms to ensure that they are as culturally inclusive in their areas of collecting as can be supported. Consultation with stakeholders and community representatives are essential to enable a diversity of stories about our society to be told. Once identified as justifying long-term retention, archives and records must be protected. This involves housing in appropriate locations and 30

31 having storage conditions that assist physical protection and longevity. Industry standards - such as BS exist to support these requirements, and organisations should benchmark their practices against them. Physical things deteriorate. To manage this, organisations should have plans assessing and prioritizing conservation work down to specific item level. Digital records and archives are particularly susceptible to loss. Technological obsolescence and quickly changing software and hardware all place digital records and archives at risk. Archives and Records Management Services should - in conjunction with appropriate information technology support - define and implement digital sustainability strategies to ensure that digital records and archives will be accessible for as long as required. One aspect of this is ensuring that archives and records are properly covered in any business continuity and emergency plans. Archives and records exist within a network of context which ensures that they can be appropriately interpreted, both at the time of their creation and over longer periods of time. Records and archives documentation systems provide the contextual layers of meaning and the management tools. These systems should be understood as a vital component of records and archives programmes. Professional standards of records and archives documentation should be followed, e.g., business activity classification schemes or ISAD (G). Archives and Records Management Services should: Ensure that appraisal methodologies which determine the retention requirements of records and archives are documented and implemented Ensure a collecting or acquisition and disposal policy is reviewed and kept up to date (where appropriate) Be committed to developing holdings that maintain their relevance to users Undertake consultation with stakeholders on appraisal decisions Destroy records in a responsible manner Adhere to industry best practice storage and handling standards for archives and records Adopt preservation plans to monitor physical condition of records and archives, and prioritise conservation requirements Adopt digital sustainability strategies that monitor continuing accessibility of digital archives and records Revise business continuity and emergency plans regularly Questions to ask Why is this important? Evidence Possible evidence Strengths Areas for improvement 31

32 Questions to ask Why is this important? Evidence Possible evidence Strengths Areas for improvement How effective are the appraisal methodologies? Appraisal is the recordkeeping process which determines how long records are to be retained and thus available for internal and external consultation. It is a process that is becoming much more accountable as multiple stakeholders have increasingly recognised roles in these decisions. The output of the appraisal process is a tool that identifies how long specific types of records are to be retained, typically known as retention and disposal authorities. These tools form a defence for organisations in cases where destruction of records is challenged, if routinely implemented. Degree of coverage of organisational records by authorised retention and disposal authorities How well does the Archives adhere to and promote the collecting and de-accessioning policy? Adherence to the established collecting policy and deaccessioning policy is essential to develop coherent holdings, ensure responsible growth capable of being resourced and to maintain public trust. Knowledge of the policies by staff is important to ensure its effectiveness. Staff knowledge of the collecting and deaccessioning policy Use of collections policy as a reference in seeking out or in rejecting donations Statistics on donations 32

33 Questions to ask Why is this important? Evidence Possible evidence Strengths Areas for improvement Identification of gaps in holdings Donor agreements approved In what ways are stakeholder considerations on appraisal decisions sought? Multiple stakeholders have interests in what records are retained and for what periods of time. Stakeholders can include regulatory authorities, local communities, groups of people represented in the records and local and other historians. The extent of consultation depends on the type of organisation and its regulatory rules. Disposal of records should be transparent, documented and routinely implemented. Consultation with stakeholders on appraisal decisions improves the transparency of decision-making and enhances public trust in organisations. Documentation of consultation on appraisal recommendations Number of people consulted Number of comments received on appraisal decisions, internally and externally (where appropriate) Appraisal recommendations published on websites for public comment How well is the destruction Once authorised for destruction, Procedures identify 33

34 Questions to ask Why is this important? Evidence Possible evidence Strengths Areas for improvement policy monitored to make sure that records destruction is conducted responsibly? physical destruction should take place in ways that reflect the sensitivity of the information in the records. Instances of records inappropriately reappearing at inopportune times have been rife in the media. Such occurrences undermine public trust in organisations. approved methods of destruction Destruction is documented and certified if undertaken by a third party. Regularity of destruction processes Procedures to ensure no outstanding FOI or legal requirements requiring longer retention Unauthorised destruction reported Staff know what records they can destroy Secure destruction procedures are in place How well do physical storage and handling practices conform to industry standards such as BS 5454? Storage conditions markedly affect the longevity of records and archives. Location of storage areas should be the best that can reasonably be achieved by the organisation. Archives and Records Results of audits against industry standards Results of regular monitoring of temperature and humidity 34